yeah, that's kinda what i was thinking...i just didn't get around to doing it, and instead just told devfs not to mount automatically at boot, since gentoo does it itself with devfsd

and i think i figured out how to encrypt the other drives with a fixed key...reading a bit past the encrypt root FS stuff in the loop-AES readme gives some examples (including the magic -p 0 for losetup)

I think using a key gotten from /dev/random and then the key encrypted with GPG would be lots better than using a hashed key from a pass phrase. I know how to do this on partitions that aren't root. If anyone knows how to do it on a root filesystem please post!

here is a little summary for how I set up my /usr/local partition to be encrypted, and mounted without a password (this is unsecure if you don't have an encrypted root fs, since the password is stored in a file)

READ THIS THROUGH BEFORE TRYING IT IN CASE I FORGOT ANYTHING. BE SURE TO BACKUP YOUR DATA!!!

1.) Run the following twice to get your seed and password

Code:

head -c 15 /dev/urandom | uuencode -m - | head -2 | tail -1

You will get 2 strings similar to the following
djYFGvsKuiMIJkerw3H8
zZEomoTvDgFTfRz+o7RN

copy them to a file, or write them down...the first one will be used as your random seed, the second will be used as your password.

2.) Make sure to backup all important data on the partition you are going to encrypt.

3.) Make the loop device. Assuming you want /dev/loop4 to be the device to use for your mounted device, and assuming /dev/hdb5 is the partition you want to encrypt, the following works. Substitute your random seeds and passwords for the ones i just made up....

This sets up a loop device that will use AES256 encryption....the password is read from the echo because of the -p 0 flag, and the -S sets the random seed (which was missing from the original howto in this thread, because it's not necessary, but does make it more secure. If you are going to do the -S for the encrypting root, READ THE LOOP-AES README!!! IT has very nice instructions!

4.) Encrypt the drive:

Code:

dd if=/dev/hdb5 of=/dev/loop4 bs=64k conv=notrunc

This will take a while, and won't show anything, but your hard drive light should be flashing (if the light works, that is)
So be patient...read Calvin and Hobbes or play the new Zelda game.

5.) Your drive is now encrypted....you need to make an rc script with the following in it (or something similar)

This puts it in the boot runlevel (an early one) and should (for me it doesnt...???) have it run before your modules are loaded....it may work for you.

8.) Edit your fstab...change the line for /usr/local (or whatever) to read as so:

Code:

/dev/loop4 /usr/local ext3 noauto,noatime 0 0

I have the noauto in there because for whatever reason, the rc-update isn't running the loopsetup where it is supposed to, even with the depend statement...I'm not sure why. It's very annoying. If anyone can solve that, it would be nice. It (for me) ends up getting ran way later on. If that gets solved, make sure to change the last number in that fstab line to a 1, so the loop device gets fscked for errors.

9.) If you have gotten it working so that it will run the loopsetup before it tries to mount filesystems, then ignore this step. If you didn't get rc-update to work correctly, put the following in your /etc/conf.d/local.start or make a new init script, whatever...

Code:

/bin/mount /usr/local

again, substitute...blah blah...

10.) Your partiton should be encrypted and should autoload without a password now. Make sure you keep the loopsetup file chmod 700 so that nobody else can read it, as it has your passwords in it. This is relatively secure since your root filesystem is encrypted so that anybody who would steal the drive and try to read it would first have to break the encryption for the root drive before they could get the password out of the file

Yeah, that is what I ment by unencrypting the partition... My mistake.

It worked but man was my drive hosed up. I'm gonna have to recover some key files and reinstall I think... To many files are giving me errors like syslog and rsync... Oh well, stuff happens..._________________-- Woody2143

I think it would be really great to have the whole /boot filesystem on a USB keychain drive. That way NOTHING would have to be on the /root or other filesystems thats not encrypted I don't have a USB keychain drive but i am going to get one and try it I think.

Does anyone know if a USB keychain disk drive is seen by the BIOS? Will it try to boot from it?

Btw the partition types don't have to be 82 or 83 on anything except the /boot. You can set them to DA = NON-FS DATA or anything else you want and it works. With /boot on a USB keychain noone would even know what operating system is on the hard disk!

If the USB dongles are anything like my digital camera, they will end up being /dev/sda or something along those lines.

Pretending you have your /dev/hda set up as following:
/dev/hda1 /
/dev/hda2 swap
/dev/hda3 /usr/local
or something like that
and you have your /boot on the keychain drive located at (find this out before you do this) /dev/sda1

I don't think it would be easy to have the BIOS boot from the keychain drive, unless the BIOS would see it as a SCSI device as well...?
however, you could use lilo (or grub) to accomplish this, I would imagine, by having lilo install itself in the MBR of /dev/hda but having the /boot in lilo point to /dev/sda1 or something

Thinking about this more, it might not work since the kernel hasn't loaded yet, and unless the BIOS assigns the keychain drive a value of sorts, it wouldn't be loaded yet as /dev/sda. I'm not sure.

In retrospect, this whole post is probably incorrect and pointless. Sorry, heh.

Wow what an exciting idea! I mean to have the entire harddrive encrypted and the kernel on some sort of external media.
I agree that a usb keychain would be cool, but if its not possible then what about a floppy disk? or maybe a cdrom? Wouldnt one of those work? Or would the external media need to contain the entire /boot partition? a cdrom could hold that easily but i doubt a floppy could. meh.._________________Blizzard you suck.

Ive been trying to figure out how to make a little cdrom (one that will fit in my pocket) that contains just the /boot stuff. So far I dont know how to make it bootable. Once I can get it to load the kernel it should be ok to use the loop-AES initrd.gz and ramdisk and then prompt for the pass phrase and chroot/pivot to the real encrypted root.

Does anyone know how to make a bootable cdrom with grub? or where a HOWTO is? What I dont know how to do is tell grub to put its bootstrap stuff that normally goes in the mbr into something that the BIOS understands when it tries to boot the CDROM. Everything I found so far says it has to be a floppy or a disk image and I'm real confused about how to make that part.

The problem with lilo of course is that if you change kernels, or change configuration you have to re-run lilo.. so this may mean that you would have to burn a new disk everytime you needed to run lilo again (i think..) _________________Blizzard you suck.

When I first read this, I was really tempted to wipe RedHat off my laptop (which I'm going to do soon anyway), and install an encrypted Gentoo. But, after thinking about it, I've seen two problems, and I just wanted to throw them out here to see what people think.

Encrypting a file is very secure, as you can't make many guesses as to what might be inside it, unless you know what you're looking for. It's only a small file after all, which makes it very difficult to crack. However, if you're encrypting an N Gb HD there's a lot more bytes to look for patterns in. Considering you know you're booting Gentoo (or at least some linux kernel) you can make a few guesses as to which filesystem you're installing. Surely then you can look for the thousands of empty inodes on the disc? They'll be in fairly predictable places. You also know the directory structure, and can guess at the contents of quite a few of the plaintext files. Wouldn't this make it far easier (though not actually EASY for non-governmental bodies) to break?

A second problem (if you live in the UK), is that encrypting your drive is completely pointless, unless it is hiding evidence of crimes that carry sentences of greater than 3 years in prison, as failing to hand over a password to encrypted data when instructed by a representative of the Home Office is itself now a crime, courtesy of the RIP Act. And you have to prove you don't have the key, innocence is not assumed (which controvenes other laws I hope). And it's illegal to tell anybody if they ask you for the key too, IIRC.

I'd be really happy to be proved wrong on either of these points though.

To boot off of a CD you could just use ISOLinux as your boot loader its part of the syslinux family. I use it to have multiple boot images on one CD.

Also to who ever was wondering how to boot Knoppix on their laptop that doesn't support BootCD's. There is a disk image you can write to a floppy that will allow you to boot the CD. Browse around the cd and you will find it.

Well... looks like I messed up everything. I followed instructions step by step and ended up with a unreadable root partition .
There was a problem with devfs so I decided to decrypt the partition, and that's where shit hits the fan. When I tried to mount /dev/loop5 (under Knopix, after doing a losetup) it told me it could not recognize filesystem. Then after I did my decrypt (dd if=/dev/loop5 of=/dev/sdb3 bs=64k notrunc), sdb3 could not be read either.
It does not recognize the file system.

Any idea? if it's only some minor stuff that got damaged, I could maybe recover it.

A second problem (if you live in the UK), is that encrypting your drive is completely pointless, unless it is hiding evidence of crimes that carry sentences of greater than 3 years in prison, as failing to hand over a password to encrypted data when instructed by a representative of the Home Office is itself now a crime, courtesy of the RIP Act. And you have to prove you don't have the key, innocence is not assumed (which controvenes other laws I hope). And it's illegal to tell anybody if they ask you for the key too, IIRC.

I don't know about anyone else but I encrypted my drive (laptop) so if it gets nicked, I know nobody will be able to see what I have on there* - eg my companies accounts!

Well, I just crashed another patition by trying to encrypt the system, although that time I didn't lose anything since it was a stage1 install . Anyway I think I narrowed down a bit better the problem and I have a question everyone who made this working should be able to answer.

When you first use the losetup program, it asks you for a password. After that you encrypt the system with dd if/of.

Now when you use again losetup to mount your encrypted partition (be it to decrypt it or to mount it), it asks for a password. You MUST enter the password that you entered the FIRST TIME right? and if you enter something else... it fails, right? Seems quite logical... The problem is after I encrypt my partition, if I want to mount it using losetup, it asks again for a password. But I can enter whatever I want, like if it had not been encrypted the first time.
Basically, I think that the encryption process fucks up somewhere and that then the partition cannot be recognized, either as a reiserfs system or as a crypted system. Thus losetup always thinks it's a "decrypted" partition.

Any though please? and has anyone read/heard about a problem with encrypthing scsi disks? I started looking into mailing-list but haven't found anything yet.

Well, I just crashed another patition by trying to encrypt the system, although that time I didn't lose anything since it was a stage1 install . Anyway I think I narrowed down a bit better the problem and I have a question everyone who made this working should be able to answer.

When you first use the losetup program, it asks you for a password. After that you encrypt the system with dd if/of.

Now when you use again losetup to mount your encrypted partition (be it to decrypt it or to mount it), it asks for a password. You MUST enter the password that you entered the FIRST TIME right? and if you enter something else... it fails, right? Seems quite logical... The problem is after I encrypt my partition, if I want to mount it using losetup, it asks again for a password. But I can enter whatever I want, like if it had not been encrypted the first time.
Basically, I think that the encryption process fucks up somewhere and that then the partition cannot be recognized, either as a reiserfs system or as a crypted system. Thus losetup always thinks it's a "decrypted" partition.

Any though please? and has anyone read/heard about a problem with encrypthing scsi disks? I started looking into mailing-list but haven't found anything yet.

Anyway... off to the reinstall again!

Yeah, it will let you enter in anything when you losetup...but you should enter the password you used. If you don't enter that password, it won't decrypt correctly, and if you try to dd if=/dev/loop5 of=/dev/sda1 or whatever, it's gonna fuck up the system, and there's nothing you can do.

Make SURE you use the correct password...it does ask twice with the -t switch

I like the idea, great howto Chadders. Wish I was into this stuff when I was 13 and a half.

Anyway has anyone tried this on a laptop. Mine is still installing at the moment. Reason I am asking is I had to do a floppy boot disk then a network install using redhat. So booting from knoppix CD is not an option.

Don't want to throw cold water on this idea, but why would you want to encrypt your ENTIRE filesystem?
Anybody can get a copy of 'ls', they don't have to steal one.
Which, leads to a second point. Probably, encrypting the entire filesystem is actually less secure than just encrypting you own personal data. After all, it is much easier to crack encryption if you have some idea of what is encrypted. A hacker would simply need to compare your encrypted copy of some common config file to their unencrypted one. This would give them a hand hold to break into the system.
Maybe I'm wrong. I don't actually know anything about the details of this but prima facie the point seems valid.

Don't want to throw cold water on this idea, but why would you want to encrypt your ENTIRE filesystem?

Some may want to keep people off it (brothers, sisters, government!), personaly, I have my laptop encrypted as I do alot of my work on there. If somebody steals it, I can be as sure as I can be that they can't boot the system / view my files.

mihochan wrote:

Anybody can get a copy of 'ls', they don't have to steal one.
Which, leads to a second point. Probably, encrypting the entire filesystem is actually less secure than just encrypting you own personal data. After all, it is much easier to crack encryption if you have some idea of what is encrypted. A hacker would simply need to compare your encrypted copy of some common config file to their unencrypted one. This would give them a hand hold to break into the system.

An intruder can't get a 'copy of ls' of an encrypted system / partition / file, you misunderstand how this encryption works. Check out Chadders first post or the loopAES README file for an overview._________________Cheers,